Two recent events have put sharing – in the forms of a shared data center and sharing of servers – in the spotlight: the recent data theft at the US Office of Personnel Management and the VENOM security bug.
As Bob Cromwell pointed out in his post on the OPM Hack, this is not proof that the cloud is insecurable, not does it prove that shared hosting environments are inherently bad. What these issues do show is that both the cloud nor shared hosting data centers – even those equipped with sophisticated intrusion detection systems require lots of diligent monitoring.
First, let’s look at VENOM. This is a bug that impacts some virtual machines, specifically those running under Xen, KVM, and VirtualBox (but not VMWare or Hyper-V). The bug is in the virtual floppy disk driver. I haven’t used a floppy disk – real or virtual – in a long time, but these hypervisors support them just in case. It seems the driver can be manipulated to crash the virtual machine and thus give an attacker access to the hypervisor that controls other virtual machines on the same server, or maybe on multiple servers. That’s bad, and it seems the vendors have patched the software.
The second recent issue is the attack on the computers run by the US Office of Personnel Management (OPM). The OPM computers were in a shared data center. That’s where multiple organizations put their computers in a single facility. It allows the organizations to share resources while still keeping their computers and the management of those computers separate. The arrangement is common in the private sector and generally saves money. I like the idea and use a shared server in a shared data center myself. More on that later.
The data center used by OPM has a very sophisticated intrusion detection system called EINSTEIN 3. That system covers the entire data center that housed the OPM systems. Unfortunately, it didn’t detect the attack, likely because the attack hadn’t been seen before and didn’t trigger the system. The attackers were clearly sophisticated and clever enough to avoid detection for some time. Having a great intrusion detection system – whether in a shared data center or in one internal to an organization – doesn’t replace the need for monitoring of individual systems. It would be wonderful if it did! We don’t yet know the nature of the attack on the OPM computers, and we may never know. The point here is that monitoring of individual computers is essential.
Finally, on a personal note, the server on which my mail and website are hosted also hosts other organizations. It is more affordable for me that way. All those organizations share an IP address. Recently one of the hosts on that server was the victim of a Distributed Denial of Service attack. That meant that the IP address of the shared server was flooded with data. The provider addressed the attack by having the upstream provider block traffic to that address. That meant that I could not access my email or website. Bummer for me, but a consequence of that type of hosting.
So there are risks of shared data centers and VMs or websites on a shared server. It is important to be aware of those risks and how to mitigate them. They may not be easy or possible to eliminate or maybe a patch will eliminate a particular threat. We talk about patching, sharing, and threat mitigation in Learning Tree’s System and Network Security Introduction and I look forward to seeing you in one of those events.
To your safe computing,